Anthropic opened up a public slice of its cybersecurity model and immediately ran into a familiar tension: the safety measures meant to stop malware development are also blocking the legitimate work that defenders do every day. The reaction from security professionals says a lot about where AI safety and real-world security practice keep colliding.
Anthropic released Fable on Tuesday, positioning it as the public-facing, restricted sibling of Mythos, the cybersecurity-focused model the company has been hyping for months. The pitch is straightforward. Mythos is powerful enough that Anthropic only wants vetted organizations touching it, while Fable gives the broader public a taste of that capability with stronger limits bolted on. Within hours, a pattern emerged that anyone who follows AI product launches could have predicted: the people most equipped to use the tool were the ones most frustrated by it.
The complaint, and who is making it
The loudest feedback came from working security practitioners, not anonymous critics. Valentina "Chompie" Palmiotti, a researcher at IBM X-Force with a real reputation in the exploit development community, said on social media that Fable "rejects any request that could be tangentially cyber related. Even innocuous tasks like reading a blog post." When a prompt trips the filters, Fable stops and tells the user its "safety measures flagged this message for cybersecurity or biology topics," then falls back to Claude Opus 4.8.
That fallback behavior is the part worth sitting with. Matt Suiche, a longtime figure in the memory forensics and incident response world and now a member of technical staff at the AI security startup Tolmo, described a specific failure mode: "If you ask it to write secure code, it assumes it is cybersecurity related work instead of software engineering best practices, and you get downgraded." His read is that the system is doing lexical pattern matching rather than understanding intent. "It seems to be keyword based, so anything in the lexical field of 'cybersecurity' triggers the guardrails."
Another researcher noted on X that even requesting a code review was enough to set off the filters. Code review is roughly the most ordinary, defensive, universally encouraged activity in software engineering. If asking for one reads as a threat, the classifier has drawn its boundary in a strange place.
Why Anthropic built it this way
The restrictions are not arbitrary. Anthropic has been vocal for years about the risk that capable models could lower the barrier to writing malware or finding vulnerabilities at scale, and the biology limits trace back to a parallel concern about bioweapon uplift. Those are not invented fears. A model genuinely good at offensive security is, almost by definition, a model good at the offensive parts of security.
The company's answer with Mythos was access control rather than capability control. When it launched in April, Mythos went only to a small group through an initiative called Project Glasswing, framed as an effort to harden critical software and infrastructure. Last week Anthropic widened that to hundreds of organizations across 15 countries. Fable is the consumer-tier compromise: ship the capability broadly, but wrap it in filters aggressive enough that the company is comfortable with anyone hitting the endpoint.
Seen that way, the over-blocking is a feature, not a bug. A keyword-driven filter that errs toward refusal is cheap to deploy and fails safe. The cost lands entirely on legitimate users, which is exactly the population complaining.
The counter-argument from inside the security world
What makes this episode more interesting than the usual "AI refuses harmless request" story is that the critics are not demanding Anthropic abandon caution. Suiche, despite his frustration, defended the approach. "It is understandable as we are still in the early days and they are still adapting their guardrails," he said, predicting the filters will loosen as frontier labs collaborate more with cybersecurity companies. "It's better to catch more people than not enough when you do such a release and to relax the guardrails over time."
That is a meaningfully different position from the typical free-speech-for-prompts argument. It accepts that a launch-day model should be too strict, on the theory that tightening after a leak is impossible while loosening after launch is routine. The disagreement is about calibration and speed, not philosophy.
There is also a structural release valve that the complaints tend to skip over. Anthropic runs a Cyber Verification Program, and approved applicants get far fewer restrictions on using Claude for security work. OpenAI operates an equivalent called Trusted Access for Cyber. So the real question is not whether defenders can use these models for offense-adjacent work. It is whether the friction of getting verified is worth it, and whether the default consumer experience should punish people who have not gone through that gate.
The pattern this fits
Step back and this looks less like a Fable problem and more like the recurring shape of safety-versus-utility in shipped AI products. Every lab that has tried to draw a line around "dangerous" capabilities has discovered that the dangerous capability and the valuable one are frequently the same capability pointed in different directions. Writing exploit code and writing the detection logic that catches it draw on identical knowledge. Explaining how a phishing kit works is what you do to build the filter that blocks it.
Keyword filtering cannot tell those apart because the difference lives in intent and context, not vocabulary. That is precisely the kind of judgment the underlying model is good at and the safety layer sitting on top of it is not. The result is a capable engine throttled by a blunt gatekeeper, and the users who notice first are the experts whose entire job lives in the gray zone.
Anthropic did not respond to a request for comment on the criticism. The more telling signal will be how fast the guardrails move. Suiche's bet is that they relax as the labs build trust with the security industry. If Fable is still refusing to read blog posts in six months, the complaint shifts from a launch-day rough edge to a statement about how Anthropic actually weighs its defender users against its threat model. For now, the people best positioned to put a cybersecurity model to good use are the ones being told to take their request elsewhere.
Comments
Please log in or register to join the discussion